The biggest CCTV manufacturer left at least 9 million devices opened to everyone’s eyes

Another Internet of Things (IoT) device provider has been discovered exposing its products to malicious users due to basic security mistakes. Xiongmai, a Chinese closed circuit camera company (CCTV) has been accused by digital forensics specialists for the poor security measures in its XMEye P2P cloud service. Among the issues that experts pointed out are the default credential exposure and unsigned firmware updates that could be delivered through the compromised service.

As a result of these flaws, the cameras could be compromised for different purposes, from spying on their owners, carrying out botnet activities, and even serving as a point of entry for larger network intrusions.

The recommendation of specialists in digital forensics is that the possible affected stop using the Xiongmai OEM and Xiongmai devices completely.

The company has a bad record in cybersecurity; it played an important role in the deployment of Mirai and other IoT devices botnets variants. There are vulnerabilities that were publicly disclosed in 2017 that have not yet been corrected in the latest version of the Xiongmai firmware.

Enabled by default, the P2P Cloud service allows users to remotely connect to devices via a web browser or an iOS or Android application and control the hardware without the need for a local network connection.

Unfortunately, deficiencies in both the devices and the service, such as unencrypted connections and default passwords (the service can be used without users changing the preset password) mean that accessing and compromising Xiongmai services and devices is something really easy.

In addition, according to digital forensics specialists from the International Institute of Cyber Security, Xiongmai devices do not require firmware updates to be signed, which means that attackers could send malware disguised as updates to create a botnet or attack the local network.

“This is possible either by modifying file systems contained in a firmware update, or by modifying the file ‘InstallDesc’ in a firmware update file”, the researchers explain. ‘InstallDesc’ is a text file that contains commands that run during the update.

The researchers say that the company has not only ignored its warnings, but Xiongmai has a history of bad security that goes back to the days of the attack of the botnet Mirai. Given the serious deficiencies of Xiongmai, experts recommend not to use these devices anymore.